Tuesday, 17 June 2008 04:09

Recent Reports of SCADA's Demise have been Greatly Exaggerated

In the past few days, a large number of reports have appeared in the press regarding a security vulnerability in a widely used SCADA package.  While the vulnerability was real, the stridency of the reporting was a little excessive.

SCADA (or Supervisory Control and Data Acquisition) software is used in a large number of industrial situations to manage infrastructure.  The software controls the processes of organisations as diverse as mine sites, biscuit manufacturers, public aquariums and even a well-known Australian media personality (for their garden watering system). 

Cognisant of the risks of exposing such critical infrastructure to the “naughty lads of the Internet,” pretty-well every user of SCADA systems makes very sure that they are not exposed.  Normally this involves an air-gap: the industrial systems are simply not connected to anything else.  More recently, with an increasing interconnectedness, users are finding that their industrial systems are connected to their business management systems – but (obviously) still remaining behind the corporate firewalls.

In the oft-republished Associated Press article (here for instance) regarding the buffer-overflow in CitectSCADA, a naïve person might think that the sky was about to fall and the nearest water treatment plant was about to fail.

Nothing could be farther from the truth.

Yes, a vulnerability was discovered by Core Security Technologies and reported in detail to Citect on February 6th 2008.  After analysis of the issue, Citect responded to Core that, in effect, they could not determine how the vulnerability might affect their customers as the software was specifically designed and implemented to be well-separated from the internet, and as far as Citect knew, that was how it was being implemented.  Citect added that it would be addressed in the next release of the software.

Specifically, the only way a user of the software could be vulnerable is to have active ODBC interfaces and to be directly connected to the internet without any security.  Seems to me that for computers in such a situation (ignoring the ODBC factor), SCADA vulnerabilities would be the least of their problems!

Read on to the next page...

Just a note at this point, I actually work for Citect as a training developer – however, I have no connection with software development, management or sales.

Much of this boils down to two issues.  Firstly whether it is a “real” vulnerability and secondly, what an appropriate response should be.

Considering a ‘normal’ installation of CitectSCADA, this is probably not a real vulnerability.  As mentioned on the previous page, the only way a site could be exposed to the problem is to have their SCADA system connected directly to the Internet without any form of protection. 

I recall reading a long time ago about one of the Australian PC magazines building a ‘bare’ Windows XP machine and exposing it to the internet.  Over a number of trials, if I recall correctly, the shortest length of time a PC survived until infected by some kind of malware was 6 seconds!  The longest maybe 30 minutes.

With this in mind, I can’t see that an ODBC vulnerability is particularly significant!

So, given this, what should the response be? 

Citect’s role is to examine the vulnerability report and determine the real impact upon their customers.  Having done that, they should then determine whether an urgent patch is required or whether the issue can be dealt with in the normal product development cycle.

Citect initially chose the latter course of action, but also developed a patch to be made available to sites should they insist on applying it.

Given the provenance of the problem, this seemed to be entirely reasonable.  However once various members of the ‘chattering press’ took hold of it, nothing short of a 2-year back-dated patch would have pleased them!

Nothing is simple any more!

WEBINAR event: IT Alerting Best Practices 27 MAY 2PM AEST

LogicMonitor, the cloud-based IT infrastructure monitoring and intelligence platform, is hosting an online event at 2PM on May 27th aimed at educating IT administrators, managers and leaders about IT and network alerts.

This free webinar will share best practices for setting network alerts, negating alert fatigue, optimising an alerting strategy and proactive monitoring.

The event will start at 2pm AEST. Topics will include:

- Setting alert routing and thresholds

- Avoiding alert and email overload

- Learning from missed alerts

- Managing downtime effectively

The webinar will run for approximately one hour. Recordings will be made available to anyone who registers but cannot make the live event.



Security requirements such as confidentiality, integrity and authentication have become mandatory in most industries.

Data encryption methods previously used only by military and intelligence services have become common practice in all data transfer networks across all platforms, in all industries where information is sensitive and vital (financial and government institutions, critical infrastructure, data centres, and service providers).

Get the full details on Layer-1 encryption solutions straight from PacketLight’s optical networks experts.

This white paper titled, “When 1% of the Light Equals 100% of the Information” is a must read for anyone within the fiber optics, cybersecurity or related industry sectors.

To access click Download here.


David Heath

David Heath has had a long and varied career in the IT industry having worked as a Pre-sales Network Engineer (remember Novell NetWare?), General Manager of IT&T for the TV Shopping Network, as a Technical manager in the Biometrics industry, and as a Technical Trainer and Instructional Designer in the industrial control sector. In all aspects, security has been a driving focus. Throughout his career, David has sought to inform and educate people and has done that through his writings and in more formal educational environments.



Recent Comments